Information security vulnerabilities within EMV automated fare collection, their consequence, and possible remedies

Abstract

Paper presented at the 33rd Annual Southern African Transport Conference 7-10 July 2014 "Leading Transport into the Future", CSIR International Convention Centre, Pretoria, South Africa.

South Africa embarked on a world first when it promulgated legislation to ensure that it future proofed fare revenue collection for its public transport system. The legislation did not get promulgated without resistance from local and international fare collection product suppliers. The promulgation is technology agnostic, and only refers to a bank issued fare medium that must be based on the Europay MasterCard Visa (EMV) standard that should contain the Automated Fare Collection (AFC) Data Structure (DS). The AFC DS in turn is defined as electronic tags that are used for recording and retrieving public transport-related data. Herein lays the vulnerability of the legislation. Card Associations (CAs), such as MasterCard, Visa, and American Express to name but a few, create bank issued media implementations that authenticate financial transactions that comply with the strict EMV specification. These CAs also provide AFC DS mechanisms that provide access to the electronic tags that are referenced within the legislation. These AFC DS access mechanisms are not governed by EMV. These mechanisms are not governed, reviewed, or audited for “fit-for-purpose” within the public transport domain either. They are provided as is and do not come with any warranty and/or guarantee that “farecalculations” will be secure, reliable, and consistent. How could they, they are not part of the calculation process. If the AFC DS electronic tags can be compromised, meaning the manipulation of the public transport data on the fare medium, then the CA have a direct impact to the correct and/or incorrect calculation of the fares. All the provided AFC data structure mechanisms provided to date can be compromised to some extent. Additional legislation that was promulgated also inhibits the use of the AFC Data Structure to its full extent as originally envisaged. This paper will briefly provide detail on some of these issues, their impact, mitigation measures, and a recommendation for a more secure implementation.